More malware found hosted in Google’s official Android market

Security researchers have found more malware hosted in Google's Android marketplace, the Google Play Store, a discovery that once again demonstrates the limitations of a recently deployed scanning service designed to flag malicious apps before they can be downloaded by end users.

Android.Dropdialer, a trojan that racks up costly charges from forced calls made to premium phone numbers, was found in two separate titles that weren't caught for weeks, according to a blog post published Tuesday by Irfan Asrar, a researcher with antivirus provider Symantec. "Super Mario Bros." and "GTA 3 Moscow City," as the malicious apps were packaged, generated as many as 100,000 downloads, although Asrar didn't say if that figure was for each separate title or in aggregate.

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Asrar wrote. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."

In a blog post published last year, Asrar explained how breaking up a malicious app into separate, staged payloads prevented automated screening processes from detecting the malware. The idea behind the technique is that rather than including all the malicious code in a single file, attackers break it up into separate modules that are delivered independently. In the case of Android.Dropdialer, the first stage was posted on Google Play (formerly known as the Android Market) and once installed it would download additional packages.

The post appears to say that victims of this malware were at some point still presented with a list of permissions that included "services that cost you money," which would mean that end users who fell prey to this threat shoulder much of the responsibility. But considering the malicious titles were hosted on Google's own servers, it seems the company should also share some of the blame. In February, the search giant unveiled Bouncer, a cloud-based malware scanner. Since then, researchers have independently discovered abusive apps in Google Play on at least two other occasions. Researchers also found malware hosted in the Google Chrome Web store.

And this is why apple doesn't allow remote data to be downloaded after the fact. Sucks for browsers but it helps.

You're a little off. Your app can't execute user supplied code. I've worked on games using an engine with a built in scripting language, where those scripts were added in extra downloaded data.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

There's a fundamental problem with the way Android's install works. Sure you can blame the user for not noticing the permission list, but there's also a very well understood security hole that the dialog does not solve. In fact, that dialog is the cause of the loophole. It's called Dancing Pigs and the fundamental problem is, given a choice between dancing animals and security, a user will pick dancing animals almost every time.

That permissions list is basically getting in the way of the user and few people will read it. In fact, since ICS, it's gotten HARDER to read the list - it used to be that the "install" button was at the bottom of the list, now it's at the very top, making it stupidly easy to skip.

Yup. "Services that cost you money" could just mean the ability to directly send an SMS message, which if you have an unlimited plan doesn't cost you money. Basically to do anything interesting or useful it seems like an app will often need permissions that could easily be used for malicious purposes as well. A 3rd party map/gps app will require fine location and full network access, for instance...but that also could easily allow for tracking users without their knowledge.

76 Reader Comments

I've been wondering about how so many apps I purchased frequently need to download additional data before they can be used. Am I correct in guessing from this article that since I am not presented with an instal dialogue that includes permissions information the additional download is just data and not another program?

The symantec blog doesn't mention this, but wouldn't you have to have enabled installation from unknown sources in order to install the second apk? Otherwise the only thing you can do is take the user to the market to install something, where the second apk presumably won't be found.

The symantec blog doesn't mention this, but wouldn't you have to have enabled installation from unknown sources in order to install the second apk? Otherwise the only thing you can do is take the user to the market to install something, where the second apk presumably won't be found.

Not really. For example UNO can download game files on its own, though it does put it on the SD card, so not sure...

Fact: Users don't read "permissions". It's just another annoying screen you have to click to get past, like a EULA.

In other words, not the best security measure.

That's why people love apple's security - it does all the work for them, no exceptions either with a "install from 3rd party sources." That part I cannot live with, and no, I don't feel like I should have to jail break.

The symantec blog doesn't mention this, but wouldn't you have to have enabled installation from unknown sources in order to install the second apk? Otherwise the only thing you can do is take the user to the market to install something, where the second apk presumably won't be found.

Not really. For example UNO can download game files on its own, though it does put it on the SD card, so not sure...

Right, so you can download content, and even code that will be JIT compiled to native instructions and executed, but the intent for installing apps (which is needed at least for adding permissions for phone calls and services that cost money) will AFAIK fail if it's not a market URL and unknown sources isn't turned on.

The symantec blog doesn't mention this, but wouldn't you have to have enabled installation from unknown sources in order to install the second apk? Otherwise the only thing you can do is take the user to the market to install something, where the second apk presumably won't be found.

Not really. For example UNO can download game files on its own, though it does put it on the SD card, so not sure...

Right, so you can download content, and even code that will be JIT compiled to native instructions and executed, but the intent for installing apps (which is needed at least for adding permissions for phone calls and services that cost money) will AFAIK fail if it's not a market URL and unknown sources isn't turned on.

Right, so you can download content, and even code that will be JIT compiled to native instructions and executed, but the intent for installing apps (which is needed at least for adding permissions for phone calls and services that cost money) will AFAIK fail if it's not a market URL and unknown sources isn't turned on.

The one exception is it could manually install the code or binary, but this would require superuser privileges. And hopefully those savvy enough to get root access will know better to grant such an application to have root access. An savvier method would be for the app to obtain root by itself, but that generally requires locking the device up for a few minutes, and sometimes even a reboot or two.

And this is why apple doesn't allow remote data to be downloaded after the fact. Sucks for browsers but it helps.

You're a little off. Your app can't execute user supplied code. I've worked on games using an engine with a built in scripting language, where those scripts were added in extra downloaded data.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

And this is why apple doesn't allow remote data to be downloaded after the fact. Sucks for browsers but it helps.

You're a little off. Your app can't execute user supplied code. I've worked on games using an engine with a built in scripting language, where those scripts were added in extra downloaded data.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

Right on the money, other than you would have to negate the sandboxing and other aspects of it. There's an app that already downloads additional data (up to 450+ MB for iPad and 50MB for the iPhone): the Ikea catalog.http://itunes.apple.com/us/app/ikea-cat ... 50483?mt=8

That's why people love apple's security - it does all the work for them, no exceptions either with a "install from 3rd party sources." That part I cannot live with, and no, I don't feel like I should have to jail break.

@JasePow Problem is, the Apple solution does seem to provide better security, and that is important. Making bleating noises, which isn't unexpected from your posting history, doesn't change the facts. Perhaps it's possible to produce an open app market place that doesn't include malware but no one seems to be able to do ti.

There's a fundamental problem with the way Android's install works. Sure you can blame the user for not noticing the permission list, but there's also a very well understood security hole that the dialog does not solve. In fact, that dialog is the cause of the loophole. It's called Dancing Pigs and the fundamental problem is, given a choice between dancing animals and security, a user will pick dancing animals almost every time.

That permissions list is basically getting in the way of the user and few people will read it. In fact, since ICS, it's gotten HARDER to read the list - it used to be that the "install" button was at the bottom of the list, now it's at the very top, making it stupidly easy to skip.

While I understand Google probably should have looked into the apps for trademark reasons. Why would any user download Mario with the developer not being Nintendo or Grand Theft Auto with the developer not being Rockstar?

That's why people love apple's security - it does all the work for them, no exceptions either with a "install from 3rd party sources." That part I cannot live with, and no, I don't feel like I should have to jail break.

@JasePow Problem is, the Apple solution does seem to provide better security, and that is important. Making bleating noises, which isn't unexpected from your posting history, doesn't change the facts. Perhaps it's possible to produce an open app market place that doesn't include malware but no one seems to be able to do ti.

Would it be complete anathema to have some kind of market that was midway between the two? Perhaps some kind of review and/or vetting process for apps by an official board or group? No app would be denied a place in the market, but the customers would have some kind of at least semi-accurate rating as to the app's utility or safety?

I really don't have any exposure to the Android app market; all of my experience so far has been with the Apple app store. Is there any kind of rating system already in place? How effective is it? Do people pay any attention to the ratings or just go ahead and take a chance on new apps?

I really don't have any exposure to the Android app market; all of my experience so far has been with the Apple app store. Is there any kind of rating system already in place? How effective is it? Do people pay any attention to the ratings or just go ahead and take a chance on new apps?

Android's app store has user ratings, on both a five star system and user comments on the apps. Furthermore, there are download counters showing how many times an app has been downloaded.

People are very vocal in the posts about the quality of apps and problems with them.

If anyone is dumb enough to download an app with less than 500 downloads, a low star rating, and negative posts, they're clearly incompetent.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

Yes there is: the downloaded code has to be signed by Apple, or else the kernel will refuse to execute it. And Apple doesn't provide any mechanism for signing arbitrary code, they only sign App Store apps.

There have been security holes in this system, but as far as I know there aren't any known vulnerabilities right now and they usually get closed quickly.

If anyone is dumb enough to download an app with less than 500 downloads, a low star rating, and negative posts, they're clearly incompetent.

Most of these articles are just FUD, honestly.

They estimate between 50,000 and 100,000 downloads for the app in this article.

Sure, the star rating is pretty poor... but that is a *lot* of downloads. Blame the users all you want, but the reality is people are falling for it.

The amount of scrutiny Apple gives an app changes depending on how popular it is. The example in this case, "Super Mario Bro's", with artwork clearly from Nintendo themselves, and approaching 100,000 downloads... that would have gone through extra close scrutiny and rejected once they failed to prove it is an official Nintendo sanctioned app.

That's why people love apple's security - it does all the work for them, no exceptions either with a "install from 3rd party sources." That part I cannot live with, and no, I don't feel like I should have to jail break.

@JasePow Problem is, the Apple solution does seem to provide better security, and that is important. Making bleating noises, which isn't unexpected from your posting history, doesn't change the facts. Perhaps it's possible to produce an open app market place that doesn't include malware but no one seems to be able to do ti.

If anyone is dumb enough to download an app with less than 500 downloads, a low star rating, and negative posts, they're clearly incompetent.

Most of these articles are just FUD, honestly.

They estimate between 50,000 and 100,000 downloads for the app in this article.

Sure, the star rating is pretty poor... but that is a *lot* of downloads. Blame the users all you want, but the reality is people are falling for it.

The amount of scrutiny Apple gives an app changes depending on how much it interferes with Apple profits and similar Apple services. The example in this case, "Super Mario Bro's", with artwork clearly from Nintendo themselves, and approaching 100,000 downloads... that would have gone through extra close scrutiny and rejected once they failed to prove it is an official Nintendo sanctioned app.

Would it be complete anathema to have some kind of market that was midway between the two? Perhaps some kind of review and/or vetting process for apps by an official board or group? No app would be denied a place in the market, but the customers would have some kind of at least semi-accurate rating as to the app's utility or safety?

I really don't have any exposure to the Android app market; all of my experience so far has been with the Apple app store. Is there any kind of rating system already in place? How effective is it? Do people pay any attention to the ratings or just go ahead and take a chance on new apps?

How about you check how many versions of your "fart app" are available before you purchase itm to find out if it "maybe" has malware??? It's called "common sense." Either you subscribe to it, or you are one of the mindless masses. Caveat Emptor.

@JasePow Problem is, the Apple solution does seem to provide better security, and that is important. Making bleating noises, which isn't unexpected from your posting history, doesn't change the facts. Perhaps it's possible to produce an open app market place that doesn't include malware but no one seems to be able to do ti.

My posting history?!?! You mean I already earned my place in MS's Siebel database?!?! WOW!!! After 3-4 posts, I'm impressed with their data mining, ... must be using Google. Either that, or I've got myself a cyber-stalker...

My posting history?!?! You mean I already earned my place in MS's Siebel database?!?! WOW!!! After 3-4 posts, I'm impressed with their data mining, ... must be using Google. Either that, or I've got myself a cyber-stalker...

@JasePow Problem is, the Apple solution does seem to provide better security, and that is important. Making bleating noises, which isn't unexpected from your posting history, doesn't change the facts. Perhaps it's possible to produce an open app market place that doesn't include malware but no one seems to be able to do ti.

I'd rather have some obvious malware on the market than have all my apps subject to Apple's every whim. Seriously, that's a tiny price to pay. Besides, a lot of the apps that I rely on simply do not have iPhone equivalents without jailbreaking (SwiftKey for example).

It seems that a lot of Ars forum people forget that the average joe a) doesn't have any technical knowledge/skills/interest and b) just wants his phone & apps to work and not steal his stuffs.

Apart from never being able to find anything on either market (Why IS the Google Market search tool so poor?), you can't judge by ratings (easy to up rate a new app), downloads (If you are only supposed to trust an app with over 100K downloads, how does an app with less get downloaded?), or even by Google's policing.

Most people here assume that phone users are smart and know the app market but they are wrong a lot of these phones are being bought for or by kids. They see super mario brothers or whatever and just go for it. They have no idea about malware etc. The next thing they know thier credit is zero, then they top up the phone and the cycle continues. Google should do more to protect these users.

Most people here assume that phone users are smart and know the app market but they are wrong a lot of these phones are being bought for or by kids. They see super mario brothers or whatever and just go for it. They have no idea about malware etc. The next thing they know thier credit is zero, then they top up the phone and the cycle continues. Google should do more to protect these users.

While I understand Google probably should have looked into the apps for trademark reasons. Why would any user download Mario with the developer not being Nintendo or Grand Theft Auto with the developer not being Rockstar?

You bring up a very good point. Has Apple not published Pokemon games from other publishers other then Nintendo?

I think the real problem is that people are installing fake Super Mario Brothers games and Fake GTA games to be honest.

As any good software engineer know, and Google appears to also know, you can't fix stupid.

theJonTech wrote:

Lwio wrote:

Most people here assume that phone users are smart and know the app market but they are wrong a lot of these phones are being bought for or by kids. They see super mario brothers or whatever and just go for it. They have no idea about malware etc. The next thing they know thier credit is zero, then they top up the phone and the cycle continues. Google should do more to protect these users.

Blame the user?

How about having a market free of malware?

It's be another thing if they got it from some seedy site....

Apple's App Store is not free of fake and malicious software, there was malware approved by Apple just in the last 10 days, easier to educate users of course this never works.

Yes some may sneak through into the app store but the system is set up to prevent this it's a proactive system Google seems to be running a retroactive system. The fact they are fake apps does not matter they could be any kind if apps, wallpaper apps seem to be a current favourite.